Python: Move LdapInjection to new dataflow API

RasmusWL · RasmusWL · commit 05573904a558 · 2023-08-28T15:27:50.000+02:00
We could have switched to a stateful config, but I tried to keep changes
as straight forward as possible.
diff --git a/python/ql/lib/semmle/python/security/dataflow/LdapInjectionQuery.qll b/python/ql/lib/semmle/python/security/dataflow/LdapInjectionQuery.qll
@@ -14,10 +14,12 @@ import semmle.python.dataflow.new.RemoteFlowSources
 import LdapInjectionCustomizations::LdapInjection
 
 /**
+ * DEPRECATED: Use `LdapInjectionDnFlow` module instead.
+ *
  * A taint-tracking configuration for detecting LDAP injection vulnerabilities
  * via the distinguished name (DN) parameter of an LDAP search.
  */
-class DnConfiguration extends TaintTracking::Configuration {
+deprecated class DnConfiguration extends TaintTracking::Configuration {
   DnConfiguration() { this = "LdapDnInjection" }
 
   override predicate isSource(DataFlow::Node source) { source instanceof Source }
@@ -31,11 +33,24 @@ class DnConfiguration extends TaintTracking::Configuration {
   }
 }
 
+private module LdapInjectionDnConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof DnSink }
+
+  predicate isBarrier(DataFlow::Node node) { node instanceof DnSanitizer }
+}
+
+/** Global taint-tracking for detecting "LDAP injection via the distinguished name (DN) parameter" vulnerabilities. */
+module LdapInjectionDnFlow = TaintTracking::Global<LdapInjectionDnConfig>;
+
 /**
+ * DEPRECATED: Use `LdapInjectionFilterFlow` module instead.
+ *
  * A taint-tracking configuration for detecting LDAP injection vulnerabilities
  * via the filter parameter of an LDAP search.
  */
-class FilterConfiguration extends TaintTracking::Configuration {
+deprecated class FilterConfiguration extends TaintTracking::Configuration {
   FilterConfiguration() { this = "LdapFilterInjection" }
 
   override predicate isSource(DataFlow::Node source) { source instanceof Source }
@@ -48,3 +63,19 @@ class FilterConfiguration extends TaintTracking::Configuration {
     guard instanceof FilterSanitizerGuard
   }
 }
+
+private module LdapInjectionFilterConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof FilterSink }
+
+  predicate isBarrier(DataFlow::Node node) { node instanceof FilterSanitizer }
+}
+
+/** Global taint-tracking for detecting "LDAP injection via the filter parameter" vulnerabilities. */
+module LdapInjectionFilterFlow = TaintTracking::Global<LdapInjectionFilterConfig>;
+
+/** Global taint-tracking for detecting "LDAP injection" vulnerabilities. */
+module LdapInjectionFlow =
+  DataFlow::MergePathGraph<LdapInjectionDnFlow::PathNode, LdapInjectionFilterFlow::PathNode,
+    LdapInjectionDnFlow::PathGraph, LdapInjectionFilterFlow::PathGraph>;
diff --git a/python/ql/src/Security/CWE-090/LdapInjection.ql b/python/ql/src/Security/CWE-090/LdapInjection.ql
@@ -14,14 +14,14 @@
 // Determine precision above
 import python
 import semmle.python.security.dataflow.LdapInjectionQuery
-import DataFlow::PathGraph
+import LdapInjectionFlow::PathGraph
 
-from DataFlow::PathNode source, DataFlow::PathNode sink, string parameterName
+from LdapInjectionFlow::PathNode source, LdapInjectionFlow::PathNode sink, string parameterName
 where
-  any(DnConfiguration dnConfig).hasFlowPath(source, sink) and
+  LdapInjectionDnFlow::flowPath(source.asPathNode1(), sink.asPathNode1()) and
   parameterName = "DN"
   or
-  any(FilterConfiguration filterConfig).hasFlowPath(source, sink) and
+  LdapInjectionFilterFlow::flowPath(source.asPathNode2(), sink.asPathNode2()) and
   parameterName = "filter"
 select sink.getNode(), source, sink,
   "LDAP query parameter (" + parameterName + ") depends on a $@.", source.getNode(),
